Update DKL-DI-0005 to account for `apt-get dist-clean`

[doshitan]

Description

With Debian Trixie release, some images look to be switching to running apt-get dist-clean instead of rm -rf /var/lib/apt/lists/. Example change in ruby image build process: docker-library/ruby@4a6fd7b#diff-8d7a21b017921bb88eaf71656b7b5767203db16e8126fc1e5ad2a9ba0bc542f5

The DKL-DI-0005 check does not seem to handle this. It probably should, as dist-clean/distclean is meant to cover this use case (I believe it does technically leave a few files in /var/lib/apt/lists/ for other purposes, but that doesn't seem to go against the spirit of the the check).

What did you expect to happen?

Running against image https://hub.docker.com/layers/library/ruby/3.4.5-slim/images/sha256-0a7f9d32c799e19ec49205eb39c04f15644fa6d683841047839c5613ed3267b3

Did not expect Dockle to flag issue with cleaning the apt-get cache.

What happened instead?

Got:

FATAL   - DKL-DI-0005: Clear apt-get caches
        * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install|update' : RUN /bin/sh -c set -eux;     apt-get update;         apt-get install -y --no-install-recommends              ca-certificates         ; apt-get dist-clean # buildkit

Output of run with -debug:

2025-08-13T11:12:47.922-0400    DEBUG   There is no .dockleignore file
2025-08-13T11:12:47.922-0400    DEBUG   Skipped update confirmation
2025-08-13T11:12:47.922-0400    DEBUG   Start assessments...
2025-08-13T11:12:48.493-0400    DEBUG   Start scan : password files
2025-08-13T11:12:48.493-0400    DEBUG   Start scan : /etc/passwd
2025-08-13T11:12:48.493-0400    DEBUG   Start scan : /etc/group
2025-08-13T11:12:48.493-0400    DEBUG   Start scan : /etc/hosts
2025-08-13T11:12:48.493-0400    DEBUG   Start scan : credential files
2025-08-13T11:12:48.494-0400    DEBUG   Scan start : config file
2025-08-13T11:12:48.494-0400    DEBUG   Scan start : DOCKER_CONTENT_TRUST
2025-08-13T11:12:48.494-0400    DEBUG   Start scan : cache files
2025-08-13T11:12:48.494-0400    DEBUG   End assessments...
FATAL   - DKL-DI-0005: Clear apt-get caches
        * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install|update' : RUN /bin/sh -c set -eux;     apt-get update;         apt-get install -y --no-install-recommends              ca-certificates         ; apt-get dist-clean # buildkit
WARN    - CIS-DI-0001: Create a user for the container
        * Last user should not be root
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement
INFO    - CIS-DI-0008: Confirm safety of setuid/setgid files
        * setuid file: urwxr-xr-x usr/bin/mount
        * setuid file: urwxr-xr-x usr/bin/su
        * setgid file: grwxr-xr-x usr/sbin/unix_chkpwd
        * setuid file: urwxr-xr-x usr/bin/chsh
        * setgid file: grwxr-xr-x usr/bin/expiry
        * setuid file: urwxr-xr-x usr/bin/newgrp
        * setuid file: urwxr-xr-x usr/bin/passwd
        * setgid file: grwxr-xr-x usr/bin/chage
        * setuid file: urwxr-xr-x usr/bin/chfn
        * setuid file: urwxr-xr-x usr/bin/gpasswd
        * setuid file: urwxr-xr-x usr/bin/umount

Output of dockle -v:

dockle version 0.4.15

Additional details (base image name, container registry info...):

The dist-clean command was added in apt 2.7.8. See https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=959093

[matthew-puku]

I'll additionally note that, per the docs:

Official Debian and Ubuntu images automatically run apt-get clean, so explicit invocation is not required.

Given that, I'm not sure whether this check should be on by default or not. I would investigate further and make a definitive recommendation, but I see this repo appears not to be maintained.